• Tag : Firewall


MSS-FW: Offload Policy Traffic Logging

Description Macro-Segmentation Service with Layer 3 firewall (MSS-FW) provides a mechanism to offload policy enforcement on TORs to prevent overwhelming the firewall with traffic. This enhancement provides an option to enable logs for traffic enforced by offloaded policies on TORs. Platform compatibility DCS-7060X DCS-7060X2 DCS-7260X3 DCS-7050X DCS-7050X2 DCS-7050X3 Configuration CVX First, the user needs to enable a newly introduced traffic log configuration on CVX under service mss configuration mode. The general syntax of the command is: [no | default] policy offload traffic logging For example, the following configuration enables traffic logs for offloaded policies cvx(config-cvx)#service mss cvx(config-cvx-mss)#policy offload traffic logging...
Continue reading →

MSS-FW: Unidirectional Policy Enforcement

Description Macro-Segmentation Service with Layer 3 firewall (MSS-FW) enforces all security policies bi-directionally by default by creating flows that match forward and reverse direction traffic based on the tagged policy. This enhancement provides unidirectional enforcement as an option for verbatim policies. For such policies, MSS enforces the security objective (drop, allow, or redirect) only for the forward direction traffic. This will also result in better utilization of the hardware resources in such scenarios. Usage The following scenarios can be benefited by using this feature: Blocking certain client subnets to connect to a server at the top of rack switch using...
Continue reading →

Macro-Segmentation Service deployment in a Brownfield Environment

Description This document presents how Arista Macro-Segmentation Service (MSS) can be deployed in a brownfield environment with a mix of non-Arista switches. This solution targets a VXLAN based network where both Arista and non-Arista Virtual Tunnel Endpoints (VTEPs) share the overlay reachability using the EVPN control plane.The following figure depicts such setup: In order to enable security enforcement with MSS, the user can put the resources that they would want to protect behind Arista VTEPs and express the security objectives using firewall policies. Moreover, this feature allows the user to enable MSS in a multiple datacenter (DC) environment where a...
Continue reading →

Consistent Policy Enforcement and Multi-VRF support for Macro-Segmentation Service

Description This document presents Arista Macro-Segmentation Service (MSS) deployment in a network with multiple Virtual Routing and Forwarding (VRF) instances. MSS can ensure more granular segmentation within a VRF, either by attracting a subset of east-west traffic to the firewall or enforcing the security objective at the top-of-rack (TOR) switches. This document also explains the policy enforcement guarantee that MSS provides in the presence of switches with varying hardware resources. Summary of Enhancements This section briefly describes the enhancements made to the current set of MSS features in this release: MSS now can be enabled in a non-default VRF in...
Continue reading →

How to Enable Application Firewall on Arista Access Points

Introduction Arista Access Points include an Application Firewall feature, which allows you to define firewall rules at application level/Layer 7. This feature can be useful in corporate environments where the requirement is to either allow or block certain applications. The applications that the Arista APs are able to recognize can be broadly classified into the following categories. Messaging Proxy File Transfer Networking Web Services Remote Access VPN and Tunneling Database Network Monitoring Collaboration Games Streaming Media Streaming Media- Messaging Mail Social Networking Prerequisites Administrative access to CloudVision Wi-Fi (CVW) / Wireless Manager (WM). Application Visibility should be enabled on the...
Continue reading →

Hardware based firewall

Description The hardware based implementation of the firewall uses a segment security model. In the segment security model, groups of interfaces, subnets, or IP prefixes are classified into segments. This allows for defining policies to govern the flow of traffic between a pair of segments called “from-segment” and “to-segment”. The policies define inter segment communication rules. For example, segment A can communicate with segment B over TCP port 80. By default, no communication is allowed between segments. Explicit rules are required to be configured to allow any communication between segments. However, communication is always allowed within the same segment. The...
Continue reading →

Arista Macro Segmentation Service (MSS) integration with Check Point Software Technologies Firewalls

Description This document explains how to configure and deploy Arista MSS with Check Point Software Technologies firewalls (henceforth will be referenced as just Check Point). The feature requires the use of Check Point Management Server (Gaia), a security management platform by Check Point, which allows central management of Check Point gateway security devices. Platform Compatibility The feature has been tested with the following Management Server and Gateway versions: Management Server Versions Version R80.30 with API version 1.5 (and above). In addition to this Management Server version, Check Point is provided a “hot fix” that provides a “Proxy API” ability which...
Continue reading →

Arista Macro Segmentation Service integration with Fortinet Firewalls

Description This document explains how to configure and deploy Arista MSS with Fortinet FortiGate firewalls (also called FortiGate: Next Generation Firewall or NGFW). The feature requires use of FortiManager, a security management platform by Fortinet, which allows central management of Fortinet Network Security devices, such as FortiGate firewalls. Platform Compatibility The feature has been tested with the following FortiManager and FortiGate versions: FortiManager Versions FortiManager 5.6.2 and 6.0.1 (and above) FortiGate Versions FortiGate 5.6.3, 5.6.4 and 6.0.0 build 5056 (Interim) (and above) FortiGate Hardware Types Arista MSS has been designed to provide security integration with data center class firewalls. FG100E...
Continue reading →


Get every new post on this blog delivered to your Inbox.

Join other followers: